[Freeipa-users] Wildcards in sudo external hostnames
Prashant Bapat
prashant at apigee.com
Fri Feb 19 15:40:19 UTC 2016
Not using SSSD because Amazon Linux does not support samba libraries
required to compile it.
On 19 February 2016 at 14:28, Jakub Hrozek <jhrozek at redhat.com> wrote:
> On Fri, Feb 19, 2016 at 11:27:16AM +0530, Prashant Bapat wrote:
> > Hi,
> >
> > I'm using FreeIPA 4.1.4 with nss-pam-ldapd and the compat schema.
>
> Why not sssd?
>
> >
> > I'm thinking of moving sudo rules to IPA and with *ou=sudoers* and
> > sudo-ldap this works.
> >
> > In our setup we have lot of rules with wildcard matching for sudo
> > hostnames. For ex webserver*, dbserver* etc.
> >
> > In the IPA UI, when I try to add the hostname with wildcard (*) char I
> get
> > an error from UI. * is not allowed char.
> >
> > Looks like the UI is trying to validate the hostname using
> > validate_dns_label in ipa/util.py and obviously * is not one of the
> allowed
> > chars.
> >
> > Taking a look at the documentation of sudo, wildcards are pretty widely
> > used. More info here
> > https://www.sudo.ws/man/1.8.15/sudoers.man.html#x57696c646361726473
> >
> > Other than editing the LDAP schema outside of IPA (this will work) what
> are
> > the other options to solve this ?
>
> I guess hostgroups/netgroups are even better (more explicit) than
> wildcards.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160219/93f739c9/attachment.htm>
More information about the Freeipa-users
mailing list